Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Monthly Archives: September 2017

Air-gapped computers that are isolated from the Internet and physically separated from local networks are believed to be the most secure computers which are difficult to infiltrate.

However, these networks have been a regular target in recent years for researchers, who have been trying to demonstrate every possible attack scenarios that could compromise the security of such isolated networks.

Security researchers from Ben-Gurion University in Israel have previously demonstrated several ways to extract sensitive information from air-gapped computers.

Now, the same University researchers have discovered another way to steal confidential information from air-gapped computers – this time with the help of infrared-equipped CCTV cameras that are used for night vision.

Researchers have developed a new attack scenario, dubbed aIR-Jumper, which includes an infected air-gapped computer (from which data needs to be stolen) and an infected CCTV network (that has at least one CCTV installed inside the premises facing the infected computer and one outside the premises), assuming that both networks are isolated from each other, and none of them is Internet-connected.

Ignoring the fact that how an air-gapped computer and CCTV network got infected with malware in the first place, the new research focused on, once infected, how the malware would be able to transfer the stolen data back to the attackers (waiting outside the premises).

To read and send data, the aIR-Jumper malware installed on air-gapped computer and CCTV network blink IR LEDs in morse-code-like patterns to transmit files into the binary data, i.e. 0 and 1.

The data from a video camera can be transmitted at 20 bits per second to an attacker at a distance of tens of meters away and from an attacker to a video camera at 100 bits per second, even in total darkness.

Since the attack is meant to steal files in binary data, attackers wouldn’t be able to steal any large files but could get their hands on passwords, cryptographic keys, PIN codes and other small bits of sensitive data stored on the targeted computer.

“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s),” the researchers say. “Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals.”

The researchers also published two videos demonstration, showing two attack scenarios.

In the first video, the researchers demonstrated how the malware installed on the air-gap computer collected data, converted it into binary and then blinked LED accordingly. At the same time, the infected camera captured this pattern and the malware installed on the camera converted the morse-code back into the binary data.

In the second video, another internally-connected camera installed outside the premises (in the parking area) transmitted the stolen binary data to the attackers sitting in the car using IR LED in morse-code-like patterns.

Attackers can simply capture the blink of the CCTV using their own camera and can decrypt the data later.

Here the infected CCTV camera is working as a bridge between the air-gapped computer and the remote attackers, offering a bi-directional covert channel.

It’s not the first time Ben-Gurion researchers came up with the technique to target air-gapped computers. Their previous research of hacking air-gap computers include:

USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors.

DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;

BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;

AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;

Fansmitter technique that uses noise emitted by a computer fan to transmit data; and

Now, the Securities and Exchange Commission (SEC), the top U.S. markets regulator, has disclosed that hackers managed to hack into its financial document filing system and may have illegally profited from the stolen information.

On Wednesday, the SEC announced that its officials learnt last month that a previously detected 2016 cyber attack, which exploited a “software vulnerability” in the online EDGAR public-company filing system, may have “provided the basis for illicit gain through trading.”

EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval, is an online filing system where companies submit their financial filings, which processes around 1.7 million electronic filings a year.

The database lists millions of filings on corporate disclosures—ranging from quarterly earnings to sensitive and confidential information on mergers and acquisitions, which could be used for insider-trading or manipulating U.S. equity markets.

The hackers exploited the flaw last year in the EDGAR system, which was “patched promptly” after its discovery, to gain access to its corporate disclosure database and stole nonpublic information, SEC chairman Jay Clayton said in a long statement on Wednesday evening.

“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

Clayton further said the SEC is currently investigating the incident and is cooperating with law enforcement authorities.

Besides this, SEC officials are also looking at cases of individuals who they believe placed false SEC filings on their EDGAR system in order to profit from the “resulting market movements.”

The SEC’s disclosure comes two weeks after credit-reporting firm Equifax announced the company had been a victim of a hack that resulted in the theft of personal data on over 143 million Americans.

Such incidents raise concerns about the security policies of these companies.

As Reuters reported, months after the 2016 breach was detected, Government Accountability Office found that the SEC did not always use encryption, used unsupported software, and failed to implement well-tuned firewalls and other key security features while going about its business.

Are you sure the version of WhatsApp, or Skype, or VLC Player installed on your device is legitimate?

Security researchers have discovered that legitimate downloads of several popular applications including WhatsApp, Skype, VLC Player and WinRAR have reportedly been compromised at the ISP level to distribute the infamous FinFisher spyware also known as FinSpy.

FinSpy is a highly secret surveillance tool that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies across the world.

The spyware has extensive spying capabilities on an infected computer, including secretly conducting live surveillance by turning ON its webcams and microphones, recording everything the victim types with a keylogger, intercepting Skype calls, and exfiltration of files.

In order to get into a target’s machine, FinFisher usually uses various attack vectors, including spear phishing, manual installation with physical access to the device, zero-day exploits, and watering hole attacks.

Your ISP May Be Helping Hackers To Spy On You

However, a new report published today by ESET claimed that its researchers had discovered new surveillance campaigns utilizing new variants of FinFisher in seven countries, which comes bundled with a legitimate application.

But how is this happening? Attackers are targeting victims using a man-in-the-middle (MitM) attack, where the internet service providers (ISP) are most likely operating as the “middle man”—bundling legitimate software downloads with FinFisher.

“We have seen this vector being used in two of the countries in which ESET systems detected the latest FinFisher spyware (in the five remaining countries, the campaigns have relied on traditional infection vectors),” the researchers say.

Previously published documents by WikiLeaks also indicated that the FinFisher maker also offered a tool called “FinFly ISP,” which is supposed to be deployed on ISP level with capabilities necessary for performing such a MitM attack.

Also, the infection technique (using the HTTP 307 redirect) was implemented in the same way in the two affected countries ESET discovered being targeted by the new variants of FinFisher. However, the firm did not name the affected countries “as not to put anyone in danger.”

Another fact which supports the ISP-level MitM attack is that all affected targets identified by the researchers within a country were using the same ISP.

“Finally, the very same redirection method and format have been used for internet content filtering by internet service providers in at least one of the affected countries,” the ESET report reads.

The popular applications targeted by the new variants of FinFisher include WhatsApp, Skype, VLC Player, Avast and WinRAR, and the ESET researchers said, “virtually any application could be misused in this way.”

Here’s How The Attack Works:

When the target users search for one of the affected applications on legitimate websites and click on its download link, their browser is served a modified URL, which redirects victims to a trojanized installation package hosted on the attacker’s server.

This results in the installation of a version of the intended legitimate application bundled with the surveillance tool.

“The redirection is achieved by the legitimate download link being replaced by a malicious one,” the researchers say. “The malicious link is delivered to the user’s browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL.”

This whole redirection process, according to researchers, is “invisible to the naked eye” and occurs without user’s knowledge.

FinFisher Utilizing a Whole Lot of New Tricks

The new tricks employed by the latest version of FinFisher kept it from being spotted by the researchers.
The researchers also note that the latest version of FinFisher received several technical improvements in terms of stealthiness, including the use of custom code virtualization to protect the majority of its components like the kernel-mode driver.

It also makes use of anti-disassembly tricks, and numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks, aiming at compromising end-to-end encryption software and known privacy tools.

One such secure messaging application, called Threema, was discovered by the researchers while they were analyzing the recent campaigns.

“FinFisher spyware masqueraded as an executable file named “Threema.” Such a file could be used to target privacy-concerned users, as the legitimate Threema application provides secure instant messaging with end-to-end encryption,” the researchers say.

“Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon.”

In less than 30 seconds a hacker can install a $10 piece of pre-built hardware – easily purchased online – into a gas pump. This device is called a skimmer and it’s designed to get your credit card number when you use it at the pump.

A clever developer came up with a somewhat simple approach to protecting yourself at the gas station. The CEO and Founder of SparkFun, Nate Seidle, along with programmer Nick Poole, built a free, open-source Android app to detect popular skimmers.

The app detects a specific Bluetooth signal and, if found, it tries to establish a connection and send a command that will verify the existence of a skimmer in your general area. The app is looking for Bluetooth networks with an ID of HC-05, which turned out to be the default on devices Seidle tested; if it finds one you’ll be alerted.

SparkFun’s Bluetooth device-detecting app is called Skimmer Scanner and it’s a bare-bones tool that appears to work as intended. It’s free and open-source and the developer says it doesn’t keep or record any information.

In a fantastic blog post detailing a complete dissection of several of the devices, Seidle explains that most of the criminals are dealing in bulk:

The designers of this skimmer were smart, it’s better to make these devices easy to connect to than to add a layer of security. What’s the worst that could happen? The device is detected and removed from the pump. Meanwhile, 10 more have been deployed for a total cost of $100.

The only tool necessary is a key to unlock the pump. The locks are basic and there are no more than a few different key designs for all gas pumps – master keys for the model.

This isn’t new; for decades, criminals have been using various computer hardware devices to intercept credit card numbers during transactions. But hardware hacking is no longer the domain of only talented – albeit shady – individuals. It’s the purview of anyone with a laptop, a car, and the stolen credit card information necessary to buy an easily made piece of hardware online.

While I haven’t had the opportunity to ride around looking for skimmers yet, I can happily confirm that there are no skimmers scamming in my office.

EC-Council today announced the release of the new, fully-proctored Licensed Penetration Tester (LPT) certification, which will be launched at Hacker Halted, 2017. The new LPT (Master) certification exam is the first globally accepted, hands-on penetration testing certification exam administered in a fully proctored environment.

EC-Council today announced the release of the new, fully-proctored Licensed Penetration Tester (LPT) certification, which will be launched at Hacker Halted, 2017. The new LPT (Master) certification exam is the first globally accepted, hands-on penetration testing certification exam administered in a fully proctored environment.

Penetration testing professionals around the world will be able validate their skills in this new exam format launched by EC-Council. The new LPT (Master) certification exam will be delivered as a secure, fully-proctored, live certification test that can be taken anytime, anywhere by busy professionals.

Jay Bavisi, the president and CEO of EC-Council, commented “With the increase in the sophistication of cyber-attacks and with ever growing security needs, today’s digital enterprises are looking for experts that have proven abilities to function as competent penetration testers in order to secure their operations. The fully proctored, hands-on LPT (Master) certification exam combines effectiveness with convenience to deliver a highest standard of exam that enables the candidates to demonstrate expertise in applying their skills in a hands-on environment.”

The exam provides a level playing field where candidates are challenged to prove their skills as expert-level penetration testers. Bavisi added, “In the real world, penetration testers go through a strenuous, arduous and laborious process to keep their clients and organizations secure. This exam is meant to mimic the real-world environment and is meant to stress, burden and ardently push the candidates to their limits to test their actual abilities in penetration testing.”

The new LPT (Master) certification is the crown jewel of the EC-Council penetration testing track. It challenges candidates through a grueling 18 hours of hands-on exam categorized into three practical tests for six hour intervals, each of which provide a multidisciplinary approach for targeting and compromising high security environments. Upon completion of the exam, candidates will have to demonstrate an advanced understanding of testing modern infrastructures by completing a professional penetration test report to be evaluated by EC-Council experts for completeness and professionalism. For more information, please contact Saba.Mohammad(at)eccouncil.org.

About EC Council:
EC-Council has been the world’s leading information security certification body since the launch of their flagship program, Certified Ethical Hacker (CEH), which created the ethical hacking industry in 2002. Since the launch of CEH, EC-Council has added industry-leading programs to their portfolio to cover all aspects of information security including EC-Council Certified Security Analyst (ECSA), Computer Hacking Forensics Investigator (CHFI), Certified Chief Information Security Officer (CCISO), among others. EC-Council Foundation, the non-profit branch of EC-Council, created Global CyberLympics, the world’s first global hacking competition. EC-Council Foundation also hosts a suite of conferences across the US and around the world including Hacker Halted, Global CISO Forum, TakeDownCon, and CISO Summit.

It’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors.

When it comes to healthcare security, security experts would rank the industry in the middle or toward the lower end of the pack, according to a panel of security leaders at Monday’s Healthcare Security Forum.

That because it’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors, according to BitSight Technologies Co-founder And Chief Technical Officer Stephen Boyer.

According to Boyer, healthcare is in the middle and needs to work on remediating systems and improving patching and blocking policies. And its users are only amplifying risks by falling victim to malicious attacks.

Chief Information Security Officer of Christiana Care Health System Anahi Santiago would rank healthcare even lower, as the industry struggles with operational challenges. The need for accessibility in healthcare can prove challenging when it comes to the security team applying updates and patches.

“The threat landscape keeps getting worse and worse, and we can’t work at the rate the bad guys are moving,” said Santiago. “I think the industry is going to go backwards before it moves forward.”

Part of the problem is that healthcare is missing critical components — including IT and security hygiene, said VMware Senior Healthcare Strategist Chris Logan.

“Why are we still, in this day and age, with all of our high-tech information still missing the user?” said Logan. “We need to educate the user: enable them to do the right thing to get back to security hygiene.”

Penn Medicine CISO Dan Costantino finds the issue with healthcare’s security can boil down to culture. Much like Santiago, Costantino said that healthcare security will take a large step backward before it goes forward, as healthcare is a “reactionary culture.”

“The culture and mindset of being proactive is just foreign to so many levels of healthcare,” said Costantino. “So many departments are struggling now: something major is going to have to happen for that culture to shift.”

And the need for the shift will only increase as threats continue to become more sophisticated and prolific.

For Santiago, the greatest threat is the “speed of which we’re adopting tech and the fact that as security professionals, we need to keep up with that pace.”

This includes not only threats on the network, but the devices given to patients to take home, Santiago said. But her biggest fear is the vulnerability of systems and the potential inability to care for patients.

“There are so many different threats that can happen in a health system. And if we can’t take care of patients, we’re not doing what we set forth to do,” said Santiago.

Another less visible issue is asset management. According to Boyer, it’s a big challenge for IoT. There are millions of orphaned devices and millions of vulnerable devices that aren’t managed or tracked.

To get healthcare up to speed on its security needs, Logan said that security teams need to keep having those tough conversations up the chain of the organization.

“The patient is relying on you to have that conversation: Do what you have to do within your organization to make sure the risks are mitigated,” said Logan.

Costantino agreed: It’s all about people. But the issue is the story organizations are telling — aren’t right.

“Some security teams and system admins think end users are stupid. But that’s not the case,” said Costantino. “It’s that people don’t think about security the way you do. If you look at your policies, you can see why people act the way they do.”

An Oregon parent wanted details about school employees getting paid to stay home. A retired educator sought data about student performance in Louisiana. And college journalists in Kentucky requested documents about the investigations of employees accused of sexual misconduct.

Instead, they got something else: sued by the agencies they had asked for public records.

Government bodies are increasingly turning the tables on citizens who seek public records that might be embarrassing or legally sensitive. Instead of granting or denying their requests, a growing number of school districts, municipalities and state agencies have filed lawsuits against people making the requests — taxpayers, government watchdogs and journalists who must then pursue the records in court at their own expense.

The lawsuits generally ask judges to rule that the records being sought do not have to be divulged. They name the requesters as defendants but do not seek damage awards. Still, the recent trend has alarmed freedom-of-information advocates, who say it’s becoming a new way for governments to hide information, delay disclosure and intimidate critics.

“This practice essentially says to a records requester, ‘File a request at your peril,’” said University of Kansas journalism professor Jonathan Peters, who wrote about the issue for the Columbia Journalism Review in 2015, before several more cases were filed. “These lawsuits are an absurd practice and noxious to open government.”

Government officials who have employed the tactic insist they are acting in good faith. They say it’s best to have courts determine whether records should be released when legal obligations are unclear — for instance, when the documents may be shielded by an exemption or privacy laws.

At least two recent cases have succeeded in blocking information while many others have only delayed the release.

State freedom-of-information laws generally allow requesters who believe they are wrongly denied records to file lawsuits seeking to force their release. If they succeed, government agencies can be ordered to pay their legal fees and court costs.

Suing the requesters flips the script: Even if agencies are ultimately required to make the records public, they typically will not have to pay the other side’s legal bills.

“You can lose even when you win,” said Mike Deshotels, an education watchdog who was sued by the Louisiana Department of Education after filing requests for school district enrollment data last year. “I’m stuck with my legal fees just for defending my right to try to get these records.”

The lawsuit argued that the data could not be released under state and federal privacy laws and initially asked the court to order Deshotels and another citizen requester to pay the department’s legal fees and court costs. The department released the data months later after a judge ruled it should be made public.

Deshotels, a 72-year-old retired teachers’ union official who authors the Louisiana Educator blog, had spent $3,000 fighting the lawsuit by then. He said the data ultimately helped show a widening achievement gap among the state’s poorest students, undercutting claims of progress by education reformers.

The lawsuits have been denounced by some courts and policymakers. A New Jersey judge in 2015 said they were the “antithesis” of open-records policies and dismissed a case filed by a township against a person who requested police department surveillance video footage.

In Michigan, the state House voted 108-0 earlier this year in favor of a bill that would make it illegal for agencies to sue public records requesters. The proposal came in response to a county’s lawsuit against a local newspaper that had sought the personnel files of two employees running for sheriff. A judge dismissed the lawsuit, saying the county had to approve or deny the request.

The documents, ultimately released days before the election, showed that one of the candidates had been disciplined for carrying on an affair while on-duty in 2011. That candidate lost.

The Michigan bill’s sponsor, Republican Rep. Klint Kesto, called the tactic “a backdoor channel to delay and put pressure on the requester” that circumvents the state’s Freedom of Information Act.

“Government shouldn’t file a lawsuit and go on offense. Either approve the request or deny it,” he said. “This shouldn’t be happening anywhere in the country.”

As his bill remains pending in a state Senate committee, Michigan State University filed a lawsuit May 1 against ESPN after the network requested police reports related to a sexual assault investigation involving football players. That and a number of other cases are currently unfolding.

In April, the Portland, Oregon, school district filed a lawsuit against parent Kim Sordyl, who is seeking records about employees on leave for alleged misconduct after the disclosure that one psychologist had been off for three years. Sordyl said she believes the information will expose costly missteps by district human resources officials and lawyers, and the district attorney has already ordered the records to be released.

“They are going to great lengths to protect themselves and their own mismanagement. This is retaliation,” said Sordyl, who has hired an attorney. “Most people would give up.”

A district spokesman said the lawsuit, which also names a journalist who requested similar information, amounts to an appeal “in an area of public records law that we believe lacks clarity.”

“When this information is released prematurely, the district’s position is that the employees’ right to due process is jeopardized,” spokesman Dave Northfield said.

The University of Kentucky prevailed in January when a judge blocked the release of records sought by its student newspaper detailing the investigation of a professor who resigned after being accused of groping students.

The judge agreed with the university that the records would violate the privacy rights of students who were victims even if their names were redacted.

While that ruling is on appeal, Western Kentucky University filed a similar lawsuit against its paper, the College Heights Herald, which sought records related to allegations of sexual harassment and assault involving employees. Several other state universities released similar documents to the newspaper, and the state attorney general has ruled that they are public records.

“It’s not a good feeling knowing that we are being sued,” said Herald editor-in-chief Andrew Henderson, whose publication has been raising money to pay legal fees. “I just hope that something beneficial comes out of all of this for everyone involved.”

Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast’s own figures, 2.27 million ran the affected software, though the company said users should not panic.

The affected app, CCleaner, is a maintenance and file clean-up software run by a subsidiary of anti-virus giant Avast. It has 2 billion downloads and claims to be getting 5 million extra a week, making the threat particularly severe, researchers at Cisco Talos warned. Comparing it to the NotPetya ransomware outbreak, which spread after a Ukrainian accounting app was infected, the researchers discovered the threat on September 13 after CCleaner 5.33 caused Talos systems to flag malicious activity.

Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.

Cisco Talos

The CCleaner app, designed to help users carry out good cyber hygiene, was itself infected.

The malware would send encrypted information about the infected computer – the name of the computer, installed software and running processes – back to the hackers’ server. The hackers also used what’s known as a domain generation algorithm (DGA); whenever the crooks’ server went down, the DGA could create new domains to receive and send stolen data. Use of DGAs shows some sophistication on the part of the attackers.

Downplaying the threat?

CCleaner’s owner, Avast-owned Piriform, has sought to ease concerns. Paul Yung, vice president of product at Piriform, wrote in a post Monday: “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.

“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

Not all are convinced by the claims of Piriform, acquired by Avast in July. “I have a feeling they are downplaying it indeed,” said Martijn Grooten, editor of security publication Virus Bulletin. Of the Piriform claim it had no evidence of much wrongdoing by the hacker, Grooten added: “As I read the Cisco blog, there was a backdoor that could have been used for other purposes.

“This is pretty severe. Of course, it may be that they really only stole … ‘non-sensitive data’ … but it could be useful in follow-up targeted attacks against specific users.”

In its blog, Talos’ researchers concluded: “This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.”

Avast CTO: No need to panic

Avast chief technology officer Ondrej Vlcek said there was, however, little reason to panic. He told Forbes the company used its Avast security tool to scan machines on which the affected CCleaner app was installed (in 30 per cent of Avast installs, CCleaner was also resident on the PC). That led to the conclusion that the attackers hadn’t launched the second phase of their attack to cause more harm to victims.

“2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic,” Vlcek added. “To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.” He said Cisco Talos wasn’t the first to notify Avast of the issues, another unnamed third party was.

It’s unclear just who was behind the attacks. Yung said the company wouldn’t speculate on how the attack happened or possible perpetrators. For now, any concerned users should head to the Piriform website to download the latest software.

Verizon has decided to abruptly cut off wireless internet to some 8,500 rural customers in 13 states, saying their heavy data use had made it impossible to profit off of the accounts—even though many of the users had purchased unlimited plans.

“Approximately 8,500 customers—using a variety of plans—were notified this month that we would no longer be their service provider after October 17th, 2017,” Verizon corporate communications director Kelly Crummey told BGR. “These customers live in 13 states (Alaska, Idaho, Iowa, Indiana, Kentucky, Maine, Michigan, Missouri, Montana, North Carolina, Oklahoma, Utah and Wisconsin) and in areas outside of where Verizon operates our own network.”

Letters Verizon is sending to the affected customers are blunt, to say the least.

“During a recent review of customer accounts, we discovered you are using a significant amount of data while roaming off the Verizon Wireless network,” Verizon wrote, according to Ars Technica. “While we appreciate you choosing Verizon, after October 17th, 2017, we will no longer offer service for the numbers listed above since your primary place of use is outside the Verizon service area.”

No option to continue, with or without reducing use of mobile data, was given.

Per BGR, the issue stems from Verizon’s LTEiRA program, in which the company pairs with 21 regional carriers to provide mobile access to rural regions. Verizon users get to jump on board those regional networks whenever they want, though when they use roaming data Verizon is responsible for paying the carriers’ fees.

While Verizon says some of the users were using as much as a terabyte of data monthly, one family reported they had been using less than 50 gigabytes of data across four lines every month on an unlimited data plan.

“Now we are left with very few choices, none of them with good service,” a member of the family told Ars Technica. “I guess small-town America means nothing to these people. It’s OK—though I live in a small town, I know a lot of people, and I’m telling every one of them to steer clear of Verizon.”

Verizon’s decision has ramifications for the regional carriers as well, which say the company encouraged them to build infrastructure to expand their service areas but is now backing out on the deal.

Though US telecoms have long gotten away with the digital equivalent of murder while providing terrible service, Verizon’s decision is particularly ominous given it could soon be given free license to treat rural customers even more poorly. The Federal Communications Commission and its Donald Trump-appointed chairman Ajit Pai have recently sought to slash the agency’s standards for what it considers acceptable access to broadband, including by allowing service providers to pass off mobile service as a replacement for home internet—a decision that would disproportionately impact poor Americans.

Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.

The new collection of features and services, called Azure “confidential computing,” is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.

Confidential computing lets users process data in the cloud, knowing it’s under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.

Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.

“While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data,” says Azure CTO Mark Russinovich in a blog post.

Data has to be “in the clear” for efficient processing. In confidential computing, it’s stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.

Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.

Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.

Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which it’s processed. Confidential computing also protects against third parties accessing data without the owner’s consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.

The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.

VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.

The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they don’t want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.

Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. “In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE,” says Russinovich.